From 1637f2dc79292e13b7d4a24dd43cd7258901b4e8 Mon Sep 17 00:00:00 2001 From: Isai <59296946+imays11@users.noreply.github.com> Date: Mon, 21 Nov 2022 11:25:39 -0500 Subject: [PATCH] [Rule Tuning] Shadow File Read via Command Line Utilities (#2403) * Update privilege_escalation_shadow_file_read.toml description update, name update, query update, tags update, MITRE update * Update privilege_escalation_shadow_file_read.toml edited order of MITRE * changed file name to match credential_access as primary tactic changed file name to match credential_access as primary tactic * excluded common executables, not related to "read", based on telemetry excluded common executables, not related to "read", based on telemetry * update cred access reference MITRE * toml-lint file for final validation * Rename credential_access_shadow_file_access.toml to privilege_escalation_shadow_file_access.toml revert name back to privilege_escalation... * Rename privilege_escalation_shadow_file_access.toml to privilege_escalation_shadow_file_read.toml * update update_date * Changed primary tactic back to privilege_escalation to match rule name Changed primary tactic back to privilege_escalation to match rule name --- ...privilege_escalation_shadow_file_read.toml | 58 +++++++++++++++---- 1 file changed, 47 insertions(+), 11 deletions(-) diff --git a/rules/linux/privilege_escalation_shadow_file_read.toml b/rules/linux/privilege_escalation_shadow_file_read.toml index ebcd34d2a..30c2b36fd 100644 --- a/rules/linux/privilege_escalation_shadow_file_read.toml +++ b/rules/linux/privilege_escalation_shadow_file_read.toml @@ -3,35 +3,55 @@ creation_date = "2022/09/01" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/01" +updated_date = "2022/11/21" [rule] author = ["Elastic"] description = """ -Identifies the manual reading of the /etc/shadow file via the commandline using standard system utilities. -Threat actors will attempt to read this file, after elevating their privileges to root, -in order to gain valid credentials they can utilize to move laterally undetected and access additional resources. +Identifies access to the /etc/shadow file via the commandline using standard system utilities. After elevating +privileges to root, threat actors may attempt to read or dump this file in order to gain valid credentials. They may +utilize these to move laterally undetected and access additional resources. """ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" -name = "Shadow File Read via Command Line Utilities" +name = "Potential Shadow File Read via Command Line Utilities" +references = ["https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/"] risk_score = 47 rule_id = "9a3a3689-8ed1-4cdb-83fb-9506db54c61f" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation", "Credential Access"] timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and event.action == "exec" and user.name == "root" and -process.args : "/etc/shadow" and -not process.executable: ("/usr/bin/find", "/usr/bin/cmp", "/bin/ls", "/usr/sbin/restorecon", "/usr/bin/uniq") and -not process.parent.executable: "/bin/dracut" +process where event.type == "start" and event.action == "exec" and user.name == "root" + and (process.args : "/etc/shadow" or (process.working_directory: "/etc" and process.args: "shadow")) + and not process.executable: + ("/usr/bin/tar", + "/bin/tar", + "/usr/bin/gzip", + "/bin/gzip", + "/usr/bin/zip", + "/bin/zip", + "/usr/bin/stat", + "/bin/stat", + "/usr/bin/cmp", + "/bin/cmp", + "/usr/bin/sudo", + "/bin/sudo", + "/usr/bin/find", + "/bin/find", + "/usr/bin/ls", + "/bin/ls", + "/usr/bin/uniq", + "/bin/uniq", + "/usr/bin/unzip", + "/bin/unzip") + and not process.parent.executable: "/bin/dracut" ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -44,4 +64,20 @@ reference = "https://attack.mitre.org/techniques/T1068/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique.subtechnique]] +id = "T1003.008" +name = "/etc/passwd and /etc/shadow" +reference = "https://attack.mitre.org/techniques/T1003/008/" + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/"